Closed dbird03 closed 3 years ago
I think the GUID 00000000-0000-0000-0000-000000000000
is Any location
. Using Graph Explorer with https://graph.microsoft.com/beta/identity/conditionalAccess/namedLocations
it does not return any locations with that GUID but does return the locations I've created.
We don't use "Any location" for our location exclusions, but we do use "MFA Trusted IPs", so I'm guessing that's what 00000000-0000-0000-0000-000000000000
is in my error?
No - in the CA policy -> Conditions / Locations, you'll have something set for either Include or Exclude Any location
with MFA Trusted IPs
selected on the alternate. For example, you enforce MFA by including Any location
and exclude MFA Trusted IPs
, or perhaps include MFA Trusted IPs
and have not touched the Exclude property. The result either way is that the CA policy has that 00000000-0000-0000-0000-000000000000
property in it.
New-DCConditionalAccessPolicyDesignReport
will have to account for NamedLocation
with the id 00000000-0000-0000-0000-000000000000
and skip it when generating the report.
The only way I could generate the report was to delete any CA policy that included Locations in Conditions.
00000000-0000-0000-0000-000000000000 is 'MFA Trusted IPs'.
I've updated New-DCConditionalAccessPolicyDesignReport to support this. However, my recommendation is to move away from the legacy MFA service and the exclusions there and use Named Locations in Azure AD instead.
Thank you for your help with this one!
Nice one. Documentation here is the recommended alternative to MFA Trusted IPs
: Optimize reauthentication prompts and understand session lifetime for Azure AD Multi-Factor Authentication
@DanielChronlund That was quick! I'll try the updated version when I'm back in the office next week.
I've pointed out many recommendations that should be made to this tenant's CA policies, and discontinuing use of the legacy MFA service is one of them. 🙂
I'm getting the error below when running
New-DCConditionalAccessPolicyDesignReport
. I used Microsoft Graph Explorer to submit a GET request for https://graph.microsoft.com/beta/conditionalAccess/policies, and I noticed a few of our policies do have a location in excludeLocations with the id "00000000-0000-0000-0000-000000000000".